Beosin: Analysis of the Attack on the DeFi Protocol Penpie Resulting in Approximately $27 Million in Asset Losses
ChainCatcher news, according to Beosin Alert monitoring, the DeFi protocol Penpie built on Pendle has been hacked, resulting in the theft of approximately $27 million in crypto assets. Beosin provides the following brief analysis of the incident:
The attacker exploited the claimRewards function in the market contract to re-enter the staking contract, increasing the staking contract balance, and then withdrew excess tokens and staked assets from the taking contract for profit.
- The attacker first created an attack contract and constructed the corresponding market contract through the official factory.
- Called the batchHarvestMarketRewards function of the staking contract to update rewards for the market.
- During the reward update, the attack contract's claimRewards function is called back, allowing for re-entry to stake the assets obtained from the flash loan, creating a discrepancy in the asset quantity of the staking contract, and withdrawing the excess.
- The attacker withdrew the staked assets and repaid the flash loan for profit.
Related tags
ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.
